A number of Dutch market research firms using a piece of industry software called Nebu have been breached, and the fallout appears to include about two million Netherlands residents. The data breach seems to mostly consist of contact information, but also includes income data, and in at least some small number of cases it is possible that more sensitive personal information was included as well.
Vendor data breach spreads far-reaching chaos
The types of information leaked in the data breach vary quite a bit, given that a number of different organizations in different verticals were compromised. In some cases, the attackers got only basic contact information included with a survey, while in at least one other they may have taken sensitive information from a pension fund.
The victims thus far are all market research firms that use the Nebu software, which may have had some vulnerability. It remains difficult to pin down what exactly happened as Nebu has clammed up, providing the media and public with as little information as possible about the incident thus far.
The first victim to report a data breach was Blauw, a qualitative research firm that has some major clients including the Netherlands national railway and communication/entertainment firm VodafoneZiggo. Blauw says that the information of about 780,000 rail customers that filled out a marketing survey was exposed, and that this may contain contact details such as email addresses and telephone numbers. A similar survey done for VodafoneZiggo also exposed about 700,000 additional records, along with about 100,000 members of the Dutch Golf Association.
Surveys sent out by Blauw that contain fairly basic contact information thus account for about three-quarters of the exposed records, but there are some more troubling elements. The market research firm also says that about 27,000 Netherlands Enterprise Agency records were exposed, and that these may have contained information about subsidies and financial support that entrepreneurs are seeking to apply for. Blauw data connected to the PME Pension Fund was also exposed, though the company says that identification numbers and bank information were not included in the data breach.
Another market research firm, USP, has since reported that it also saw a large amount of similar survey information stolen. In total it lost 100,000 to 150,000 records of Netherlands residents and an additional 350,000 of people living outside of the country. USP says that similar contact information (such as email addresses and telephone numbers) was contained in these records.
The market research firms have thus far had very different responses to the data breach. USP says that it will continue its relationship with Nebu and that it considers the incident an anomaly after a 20 year business partnership that had previously been trouble-free. Blauw, on the other hand, expressed consternation at Nebu’s refusal to provide details and has filed a lawsuit against the software vendor in an attempt to get more information.
While these are the two largest known victims, it is thought that some number of other market research firms in the country have been similarly compromised but have either yet to come forward or are yet to realize that they have been hit by a data breach.
Netherlands market research firms mostly lost collected survey data
Though the data breach mostly impacted survey data, some of these surveys may have contained sensitive personal information that could land the market research firms or the software vendor in hot water in terms of data privacy laws. In addition to income information this could include gender and replies about health conditions, among the data that is presently known to be lost.
Netherlands residents that have taken marketing surveys (such as customer satisfaction ratings) in the recent past are potentially impacted by the data breach, and may want to see if one of the market research firms that have made disclosures thus far handles surveys for that company. For most the impact will likely be minimal, but all should be on heightened alert for phishing attempts that might make use of the stolen information to create a layer of authenticity.
The Dutch Data Protection Authority has become one of the more aggressive privacy watchdogs in the EU, actively auditing big tech firms and threatening to issue bans on products from the country if standards are not improved. Some companies are now using the Dutch standards as a benchmark to determine if their privacy and security practices will pass General Data Protection Regulation muster throughout the rest of the bloc. It is yet to be seen what responsibility the breached market research firms might bear under the law, but the software vendor will likely be dealing with the lion’s share of the consequences.